Jump to content


 


Register a free account to unlock additional features at BleepingComputer.com
Welcome to BleepingComputer, a free community where people like yourself come together to discuss and learn how to use their computers. Using the site is easy and fun. As a guest, you can browse and view the various discussions in the forums, but can not create a new topic or reply to an existing one unless you are logged in. Other benefits of registering an account are subscribing to topics and forums, creating a blog, and having no ads shown anywhere on the site.


Click here to Register a free account now! or read our Welcome Guide to learn how to use this site.

Photo

Antivirus Security Pro won't let me do anything on my pc!


  • Please log in to reply
25 replies to this topic

#1 dstreet27

dstreet27

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 04 June 2014 - 05:12 PM

Hi! I can do anything! This Antivirus VIRUS prevents me from booting in sfae mode to kill it! Please Help! Thanks!

 

Windows 7 64Bit.


Edited by dstreet27, 04 June 2014 - 08:08 PM.


BC AdBot (Login to Remove)

 


#2 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:30 AM

Posted 04 June 2014 - 09:44 PM

Please try the following:

 

You may want to print these instructions so you can have access to them.

Also, you may want to read them once before you apply them.

 

Please plug in a USB pen drive into a working computer.

 

Go to the Farbar Recovery Scan Tool Download
http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/

Select the download that applies to your system: 64-bit

Save the program to the >> USB pen drive.

Remove USB pen drive when done.

 

Now, go to the problem computer.

Plug in the USB pen drive which has FRST.

 

Start the computer, and tap the F8 key until you get to the Advanced Boot Options

Use the arrow keys to select the Repair your computer menu item

 

From there...

Select your language settings, and click: Next

Select your User account and click: OK (If you did not set a password, leave blank.)

 

On the System Recovery Options you get the following options:

 

Startup Repair

System Restore

Windows Complete PC Restore

Windows Memory Diagnostic Tool

Scan your computer's memory for errors

Command Prompt

 

Select: Command Prompt

 

In the Command Prompt window, at the blinking cursor type notepad and press: Enter

In Notepad, under the File menu select: Open

Double-click the Computer icon on the left.

Find the pen drive letter, remember what letter it is, click on it, and press: Open

Close out of Notepad.

 

Click the Command Prompt window

Type x:\frst64.exe, and press: Enter

Note: Replace the drive letter x with the drive letter of your pen drive!

 

FRST starts, and prepares to run. Follow the prompts.

Click Yes to the Disclaimer.

 

Press the Scan button.

 

The scan runs, and, the program saves the FRST.txt, on the pen drive.

 

When done, click the Command Prompt window, type exit, and press: Enter

 

Back at the System Recovery Options, press: Shutdown

Remove the USB pen drive.

 

Please plug the USB pen drive in the working computer, and please provide the FRST.txt in your reply.
 


Old duck...


#3 dstreet27

dstreet27
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 04 June 2014 - 10:21 PM

Hi and Thanks for your fast reply!

 

Here it is!

 

Scan result of Farbar Recovery Scan Tool (FRST.txt) (x64) Version: 02-06-2014
Ran by SYSTEM on MININT-CDQTCVB on 04-06-2014 23:19:11
Running from H:\
Platform: Windows 7 Home Premium (X64) OS Language: English(US)
Internet Explorer Version 10
Boot Mode: Recovery

The current controlset is ControlSet001
ATTENTION!:=====> If the system is bootable FRST could be run from normal or Safe mode to create a complete log.

The only official download link for FRST:
Download link for 32-Bit version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/81/
Download link for 64-Bit Version: http://www.bleepingcomputer.com/download/farbar-recovery-scan-tool/dl/82/
Download link from any site other than Bleeping Computer is unpermitted or outdated.
See tutorial for FRST: http://www.geekstogo.com/forum/topic/335081-frst-tutorial-how-to-use-farbar-recovery-scan-tool/

==================== Registry (Whitelisted) ==================

HKLM\...\Run: [NvCplDaemon] => C:\Windows\system32\NvCpl.dll [16395880 2009-10-03] (NVIDIA Corporation)
HKLM\...\Run: [SmartMenu] => C:\Program Files\Hewlett-Packard\HP MediaSmart\SmartMenu.exe [610872 2009-08-25] ()
HKLM\...\Run: [SunJavaUpdateSched] => C:\Program Files\Java\jre6\bin\jusched.exe [171520 2009-12-05] (Sun Microsystems, Inc.)
HKLM\...\Run: [SysTrayApp] => C:\Program Files\IDT\WDM\sttray64.exe [487424 2010-03-23] (IDT, Inc.)
HKLM\...\Run: [Zune Launcher] => C:\Program Files\Zune\ZuneLauncher.exe [163552 2011-08-05] (Microsoft Corporation)
HKLM\...\Run: [AS2014] => C:\ProgramData\3V7spggp\3V7spggp.exe [570368 2013-11-17] ()
HKLM-x32\...\Run: [HPCam_Menu] => c:\Program Files (x86)\Hewlett-Packard\Media\Webcam\MUITransfer\MUIStartMenu.exe [222504 2009-05-19] (CyberLink Corp.)
HKLM-x32\...\Run: [QlbCtrl.exe] => C:\Program Files (x86)\Hewlett-Packard\HP Quick Launch Buttons\QlbCtrl.exe [322104 2009-08-20] ( Hewlett-Packard Development Company, L.P.)
HKLM-x32\...\Run: [WirelessAssistant] => C:\Program Files (x86)\Hewlett-Packard\HP Wireless Assistant\HPWAMain.exe [498744 2009-07-23] (Hewlett-Packard)
HKLM-x32\...\Run: [BabylonToolbar] => C:\Program Files (x86)\BabylonToolbar\BabylonToolbar\1.4.19.19\BabylonToolbarsrv.exe [286720 2010-11-07] (Babylon Ltd.)
HKLM-x32\...\Run: [Adobe ARM] => C:\Program Files (x86)\Common Files\Adobe\ARM\1.0\AdobeARM.exe [937920 2011-06-06] (Adobe Systems Incorporated)
HKLM-x32\...\Run: [AppleSyncNotifier] => C:\Program Files (x86)\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe [59240 2011-11-02] (Apple Inc.)
HKLM-x32\...\Run: [APSDaemon] => C:\Program Files (x86)\Common Files\Apple\Apple Application Support\APSDaemon.exe [59720 2013-04-21] (Apple Inc.)
HKLM-x32\...\Run: [Intuit SyncManager] => C:\Program Files (x86)\Common Files\Intuit\Sync\IntuitSyncManager.exe [1874264 2011-08-09] (Intuit Inc. All rights reserved.)
HKLM-x32\...\Run: [SunJavaUpdateSched] => C:\Program Files (x86)\Common Files\Java\Java Update\jusched.exe [254696 2012-01-18] (Sun Microsystems, Inc.)
HKLM-x32\...\Run: [QuickTime Task] => C:\Program Files (x86)\QuickTime\QTTask.exe [421888 2013-04-30] (Apple Inc.)
HKLM-x32\...\Run: [iTunesHelper] => C:\Program Files (x86)\iTunes\iTunesHelper.exe [152392 2013-05-31] (Apple Inc.)
HKLM\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\3V7spggp\3V7spggp.exe -sm,
HKU\Default\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\jordan\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
HKU\jordan\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-05-31] (Google Inc.)
HKU\jordan\...\RunOnce: [FlashPlayerUpdate] - C:\Windows\SysWOW64\Macromed\Flash\FlashUtil32_11_6_602_180_ActiveX.exe -update activex
HKU\jordan\...\RunOnce: [Application Restart #0] - C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-05-31] (Google Inc.)
HKU\jordan\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\Michelle\...\Run: [LightScribe Control Panel] => C:\Program Files (x86)\Common Files\LightScribe\LightScribeControlPanel.exe -hidden
HKU\Michelle\...\Run: [msnmsgr] => C:\Program Files (x86)\Windows Live\Messenger\msnmsgr.exe [4280184 2012-03-08] (Microsoft Corporation)
HKU\Michelle\...\Run: [ctfmon.exe] => C:\WINDOWS\system32\ctfmon.exe [9728 2009-07-13] (Microsoft Corporation)
HKU\Michelle\...\Run: [swg] => C:\Program Files (x86)\Google\GoogleToolbarNotifier\GoogleToolbarNotifier.exe [39408 2011-05-31] (Google Inc.)
HKU\Michelle\...\Run: [Device Detection] => C:\Program Files (x86)\FUJIFILM\MyFinePix Studio\dd.exe
HKU\Michelle\...\Run: [Google Update*] => [X] <===== ATTENTION (ZeroAccess rootkit hidden path)
HKU\Michelle\...\Run: [AS2014] => C:\ProgramData\3V7spggp\3V7spggp.exe [570368 2013-11-17] ()
HKU\Michelle\...\Run: [bthuPING] => rundll32 "C:\Users\Michelle\AppData\Local\Temp\Dispperf.dll",CreateProcessNotify <===== ATTENTION
HKU\Michelle\...\Run: [ctfmutil] => rundll32 "C:\Users\Michelle\AppData\Local\Temp\Dispperf64.dll",CreateProcessNotify <===== ATTENTION
HKU\Michelle\...\Policies\Explorer: [NoDesktopCleanupWizard] 1
HKU\Michelle\...\Policies\Explorer: [HideSCAHealth] 1

==================== Services (Whitelisted) =================

S2 AESTFilters; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\AESTSr64.exe [89600 2009-03-02] (Andrea Electronics Corporation)
S2 MotoConnect Service; C:\Program Files (x86)\Motorola\MotoConnectService\MotoConnectService.exe [91456 2010-04-02] ()
S2 RichVideo; C:\Program Files (x86)\CyberLink\Shared files\RichVideo.exe [247152 2009-07-06] ()
S2 STacSV; C:\Windows\System32\DriverStore\FileRepository\stwrt64.inf_amd64_neutral_960c1f056a541068\STacSV64.exe [247808 2010-03-23] (IDT, Inc.)

==================== Drivers (Whitelisted) ====================

S3 BrSerIf; C:\Windows\System32\DRIVERS\BrSerIf.sys [97280 2006-09-02] (Brother Industries Ltd.)
S3 motccgp; system32\DRIVERS\motccgp.sys [X]
S3 motccgpfl; system32\DRIVERS\motccgpfl.sys [X]
S3 motmodem; system32\DRIVERS\motmodem.sys [X]
S3 MotoSwitchService; system32\DRIVERS\motswch.sys [X]
S3 Motousbnet; system32\DRIVERS\Motousbnet.sys [X]
S3 motusbdevice; system32\DRIVERS\motusbdevice.sys [X]
S3 RimUsb; System32\Drivers\RimUsb_AMD64.sys [X]

==================== NetSvcs (Whitelisted) ===================

==================== One Month Created Files and Folders ========

2014-06-04 18:03 - 2014-06-04 23:19 - 00000000 ____D () C:\FRST

==================== One Month Modified Files and Folders =======

2014-06-04 23:19 - 2014-06-04 18:03 - 00000000 ____D () C:\FRST
2014-06-04 19:16 - 2010-08-08 12:43 - 00000000 ____D () C:\Users\Michelle\AppData\Local\Temp
2014-06-04 19:12 - 2009-07-13 21:13 - 00779306 _____ () C:\Windows\System32\PerfStringBackup.INI
2014-06-04 19:12 - 2009-07-13 20:45 - 00023248 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-1.C7483456-A289-439d-8115-601632D005A0
2014-06-04 19:12 - 2009-07-13 20:45 - 00023248 ____H () C:\Windows\System32\7B296FB0-376B-497e-B012-9C450E1B7327-5P-0.C7483456-A289-439d-8115-601632D005A0
2014-06-04 19:06 - 2010-08-09 18:11 - 00003950 _____ () C:\Windows\System32\Tasks\User_Feed_Synchronization-{1E01D8A2-2BAD-4C87-B415-1806C5BBD75D}
2014-06-04 19:05 - 2014-04-27 17:26 - 00001666 _____ () C:\Users\Michelle\Desktop\Antivirus Security Pro.lnk
2014-06-04 19:05 - 2014-04-27 16:23 - 00000118 _____ () C:\Users\Michelle\Desktop\Antivirus Security Pro support.url
2014-06-04 19:05 - 2014-04-27 13:39 - 00001446 _____ () C:\Windows\setupact.log
2014-06-04 19:05 - 2010-11-27 15:50 - 00000898 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineCore.job
2014-06-04 19:05 - 2009-07-13 21:08 - 00000006 ____H () C:\Windows\Tasks\SA.DAT
2014-06-04 18:18 - 2010-08-08 05:35 - 00000000 ____D () C:\ProgramData\Recovery
2014-06-04 16:17 - 2012-04-23 18:21 - 00000830 _____ () C:\Windows\Tasks\Adobe Flash Player Updater.job
2014-06-04 15:47 - 2010-11-27 15:50 - 00000902 _____ () C:\Windows\Tasks\GoogleUpdateTaskMachineUA.job
2014-06-04 15:17 - 2012-04-23 18:21 - 00003768 _____ () C:\Windows\System32\Tasks\Adobe Flash Player Updater
2014-06-04 15:17 - 2012-04-23 18:20 - 00692400 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerApp.exe
2014-06-04 15:17 - 2011-12-10 15:22 - 00070832 _____ (Adobe Systems Incorporated) C:\Windows\SysWOW64\FlashPlayerCPLApp.cpl
2014-06-04 15:10 - 2014-04-27 13:38 - 00188758 _____ () C:\Windows\PFRO.log
2014-06-04 13:56 - 2010-11-27 15:58 - 00002143 _____ () C:\Users\Public\Desktop\Google Chrome.lnk
2014-06-04 13:42 - 2010-11-27 15:50 - 00003898 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineUA
2014-06-04 13:42 - 2010-11-27 15:50 - 00003646 _____ () C:\Windows\System32\Tasks\GoogleUpdateTaskMachineCore
2014-06-04 13:39 - 2010-11-28 11:58 - 00000000 ____D () C:\Users\Michelle\AppData\Local\CrashDumps
2014-06-04 13:32 - 2013-11-17 03:25 - 00000000 ____D () C:\ProgramData\3V7spggp
ZeroAccess:
C:\Users\Michelle\AppData\Local\Google\Desktop\Install

Files to move or delete:
====================
C:\Users\Michelle\AppData\Roaming\4.ini

Some content of TEMP:
====================
C:\Users\Michelle\AppData\Local\Temp\Dispperf.dll
C:\Users\Michelle\AppData\Local\Temp\Dispperf64.dll
C:\Users\Michelle\AppData\Local\Temp\setup.exe

==================== Known DLLs (Whitelisted) ================

==================== Bamital & volsnap Check =================

C:\Windows\System32\winlogon.exe => MD5 is legit
C:\Windows\System32\wininit.exe => MD5 is legit
C:\Windows\SysWOW64\wininit.exe => MD5 is legit
C:\Windows\explorer.exe => MD5 is legit
C:\Windows\SysWOW64\explorer.exe => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\SysWOW64\svchost.exe => MD5 is legit
C:\Windows\System32\services.exe => MD5 is legit
C:\Windows\System32\User32.dll => MD5 is legit
C:\Windows\SysWOW64\User32.dll => MD5 is legit
C:\Windows\System32\userinit.exe => MD5 is legit
C:\Windows\SysWOW64\userinit.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit
C:\Windows\System32\Drivers\volsnap.sys => MD5 is legit

==================== Restore Points  =========================

==================== Memory info ===========================

Percentage of memory in use: 18%
Total physical RAM: 4022.87 MB
Available physical RAM: 3297.68 MB
Total Pagefile: 4021.02 MB
Available Pagefile: 3291.89 MB
Total Virtual: 8192 MB
Available Virtual: 8191.9 MB

==================== Drives ================================

Drive c: () (Fixed) (Total:582.23 GB) (Free:492.74 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive e: (RECOVERY) (Fixed) (Total:13.65 GB) (Free:2.26 GB) NTFS ==>[System with boot components (obtained from reading drive)]
Drive f: (HP_TOOLS) (Fixed) (Total:0.1 GB) (Free:0.09 GB) FAT32
Drive h: (Lexar) (Removable) (Total:59.62 GB) (Free:59.6 GB) FAT32
Drive x: (Boot) (Fixed) (Total:0.03 GB) (Free:0.03 GB) NTFS
Drive y: () (Fixed) (Total:0.19 GB) (Free:0.16 GB) NTFS ==>[System with boot components (obtained from reading drive)]

==================== MBR & Partition Table ==================

========================================================
Disk: 0 (Size: 596 GB) (Disk ID: 02C51732)
Partition 1: (Active) - (Size=199 MB) - (Type=07 NTFS)
Partition 2: (Not Active) - (Size=582 GB) - (Type=07 NTFS)
Partition 3: (Not Active) - (Size=14 GB) - (Type=07 NTFS)
Partition 4: (Not Active) - (Size=103 MB) - (Type=0C)

========================================================
Disk: 1 (MBR Code: Windows XP) (Size: 60 GB) (Disk ID: C3072E18)
Partition 1: (Not Active) - (Size=60 GB) - (Type=0C)

LastRegBack: 2014-06-04 12:07

==================== End Of Log ============================



#4 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:30 AM

Posted 05 June 2014 - 07:23 PM

dstreet27,

Please open notepad (Start > All Programs > Accessories > Notepad)
Copy the entire contents of the code box below to Notepad.
Save it to the pen drive where FRST is now located, and name it: fixlist.txt





start
HKLM\...\Run: [AS2014] => C:\ProgramData\3V7spggp\3V7spggp.exe [570368 2013-11-17] ()
HKLM\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\3V7spggp\3V7spggp.exe -sm,
HKU\Michelle\...\Run: [Google Update*]
HKU\Michelle\...\Run: [AS2014] => C:\ProgramData\3V7spggp\3V7spggp.exe [570368 2013-11-17] ()
HKU\Michelle\...\Run: [bthuPING] => rundll32 "C:\Users\Michelle\AppData\Local\Temp\Dispperf.dll",CreateProcessNotify
HKU\Michelle\...\Run: [ctfmutil] => rundll32 "C:\Users\Michelle\AppData\Local\Temp\Dispperf64.dll",CreateProcessNotify
2014-06-04 19:05 - 2014-04-27 17:26 - 00001666 _____ () C:\Users\Michelle\Desktop\Antivirus Security Pro.lnk
2014-06-04 19:05 - 2014-04-27 16:23 - 00000118 _____ () C:\Users\Michelle\Desktop\Antivirus Security Pro support.url
2014-06-04 13:32 - 2013-11-17 03:25 - 00000000 ____D () C:\ProgramData\3V7spggp
C:\Users\Michelle\AppData\Local\Google\Desktop\Install
C:\Users\Michelle\AppData\Roaming\4.ini
C:\Users\Michelle\AppData\Local\Temp\Dispperf.dll
C:\Users\Michelle\AppData\Local\Temp\Dispperf64.dll
C:\Users\Michelle\AppData\Local\Temp\setup.exe
end

NOTICE: This script is written specifically for this computer!!!
Running this on another computer may cause damage to the Operating System.

Now, please enter System Recovery Options and select the Command Prompt as done before.
Run FRST, and press the Fix button, just once, and wait.

When done, the tool creates a report on the pen drive called: Fixlog.txt

>> Please post the Fixlog.txt in your reply

Also, please post whether you were able to boot to Windows without the Antivirus Security Pro showing.


Old duck...


#5 dstreet27

dstreet27
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 05 June 2014 - 08:08 PM

Hi and thanks again!

 

Can't open windows normally (black  screen after Windows logo)

but i can now go in safe mode with networking.

 

Thanks!

 

 

Fix result of Farbar Recovery Tool (FRST written by Farbar) (x64) Version: 02-06-2014
Ran by SYSTEM at 2014-06-05 20:43:17 Run:1
Running from H:\
Boot Mode: Recovery
==============================================

Content of fixlist:
*****************
HKLM\...\Run: [AS2014] => C:\ProgramData\3V7spggp\3V7spggp.exe [570368 2013-11-17] ()
HKLM\...\Winlogon: [Userinit] userinit.exe,C:\ProgramData\3V7spggp\3V7spggp.exe -sm,
HKU\Michelle\...\Run: [Google Update*]
HKU\Michelle\...\Run: [AS2014] => C:\ProgramData\3V7spggp\3V7spggp.exe [570368 2013-11-17] ()
HKU\Michelle\...\Run: [bthuPING] => rundll32 "C:\Users\Michelle\AppData\Local\Temp\Dispperf.dll",CreateProcessNotify
HKU\Michelle\...\Run: [ctfmutil] => rundll32 "C:\Users\Michelle\AppData\Local\Temp\Dispperf64.dll",CreateProcessNotify
2014-06-04 19:05 - 2014-04-27 17:26 - 00001666 _____ () C:\Users\Michelle\Desktop\Antivirus Security Pro.lnk
2014-06-04 19:05 - 2014-04-27 16:23 - 00000118 _____ () C:\Users\Michelle\Desktop\Antivirus Security Pro support.url
2014-06-04 13:32 - 2013-11-17 03:25 - 00000000 ____D () C:\ProgramData\3V7spggp
C:\Users\Michelle\AppData\Local\Google\Desktop\Install
C:\Users\Michelle\AppData\Roaming\4.ini
C:\Users\Michelle\AppData\Local\Temp\Dispperf.dll
C:\Users\Michelle\AppData\Local\Temp\Dispperf64.dll
C:\Users\Michelle\AppData\Local\Temp\setup.exe
*****************

HKLM\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value deleted successfully.
HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon\\Userinit => Value was restored successfully.
HKU\Michelle\Software\Microsoft\Windows\CurrentVersion\Run\\HKU\Michelle\...\Run: [Google Update*] => Value deleted successfully.
HKU\Michelle\Software\Microsoft\Windows\CurrentVersion\Run\\AS2014 => Value not found.
HKU\Michelle\Software\Microsoft\Windows\CurrentVersion\Run\\bthuPING => Value not found.
HKU\Michelle\Software\Microsoft\Windows\CurrentVersion\Run\\ctfmutil => Value not found.
C:\Users\Michelle\Desktop\Antivirus Security Pro.lnk => Moved successfully.
C:\Users\Michelle\Desktop\Antivirus Security Pro support.url => Moved successfully.
C:\ProgramData\3V7spggp => Moved successfully.
C:\Users\Michelle\AppData\Local\Google\Desktop\Install => Moved successfully.
C:\Users\Michelle\AppData\Roaming\4.ini => Moved successfully.
C:\Users\Michelle\AppData\Local\Temp\Dispperf.dll => Moved successfully.
C:\Users\Michelle\AppData\Local\Temp\Dispperf64.dll => Moved successfully.
C:\Users\Michelle\AppData\Local\Temp\setup.exe => Moved successfully.

==== End of Fixlog ====



#6 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:30 AM

Posted 05 June 2014 - 09:50 PM

When you boot to Safe Mode, does the computer work as expected?

 

Can you get to the Safe Mode Desktop?


Old duck...


#7 dstreet27

dstreet27
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 05 June 2014 - 10:01 PM

Yup!

#8 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:30 AM

Posted 05 June 2014 - 10:18 PM

Sounds like trouble with the video card...

 

In Safe Mode:

 

Click on the Windows 7 Start button.

 

Type the following command in the search box and then hit the Enter key:

devmgmt.msc

 

In Device Manager, any red or yellow marks by Display Adapters?

What does it list as your adapter?


Old duck...


#9 dstreet27

dstreet27
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 05 June 2014 - 10:28 PM

Display Adapter is NVIDIA GeForce GT 230M no yellow or red mark.

Yellow mark under
System devices
Consumer IR devices
Windows cannot load the requiered drivers forthe device(Code 31)

#10 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:30 AM

Posted 05 June 2014 - 11:20 PM

Let's do some more malware checkup and see how it goes...

 

In Safe Mode with Networking:

 

Please download Malwarebytes Anti-Malware (New version)
Download > http://www.malwarebytes.org/free/?gclid=COjk8O_Xi74CFcU-MgodbxEArQ
Save to the Desktop.
 
Double-click mbam-setup-2.X.X.XXXX.exe to install (X's = current version)
Place a checkmark next to Launch Malwarebytes Anti-Malware, then click: Finish
 
Once MBAM opens, where it says Your databases is out of date, click the Fix Now button.
 
Next, click the Settings tab at the top, and, in the left column, select Detections and Protections
If not already checked, select: Scan for rootkits
 
Click the Scan tab at the top of the program window, and select: Threat Scan
Next, click: Scan Now
 
If you receive a message that updates are available, click: Update Now
 
At this point, the update is downloaded, installed, and the scan starts.
The scan may take some time to finish, so please be patient.
 
If potential threats are detected, select Quarantine All as the Action for all the listed items.
Next, click: Apply Actions
 
While still on the Scan tab, click the link for View detailed log
In the window that opens, click the Export button, select Text file (*.txt), and save the log to the Desktop.
 
Please post the MBAM log in your reply.
 
Notes:
1. The log is automatically saved by MBAM and is also viewed by clicking:
History tab > Application Logs.
2, If MBAM encounters a file that is difficult to remove...
Click OK and allow MBAM to proceed with the disinfection process.
If asked to restart the computer, please do so immediately.

 

 

Also, see if you can boot into Windows normally. Let us know.
 


Edited by Aaflac, 05 June 2014 - 11:31 PM.

Old duck...


#11 dstreet27

dstreet27
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 06 June 2014 - 08:29 AM

Here you go!

 

Malwarebytes Anti-Rootkit BETA 1.07.0.1009
www.malwarebytes.org

Database version: v2014.06.05.13

Windows 7 Service Pack 1 x64 NTFS (Safe Mode/Networking)
Internet Explorer 10.0.9200.16736
Michelle :: MICHELLE-PC [administrator]

05/06/2014 9:34:11 PM
mbar-log-2014-06-05 (21-34-11).txt

Scan type: Quick scan
Scan options enabled: Anti-Rootkit | Drivers | MBR | Physical Sectors | Memory | Startup | Registry | File System | Heuristics/Extra | Heuristics/Shuriken
Scan options disabled:
Objects scanned: 325500
Time elapsed: 2 hour(s), 26 minute(s), 43 second(s) [aborted]

Memory Processes Detected: 0
(No malicious items detected)

Memory Modules Detected: 0
(No malicious items detected)

Registry Keys Detected: 0
(No malicious items detected)

Registry Values Detected: 1
HKCU\CONTROL PANEL\DON'T LOAD|wscui.cpl (Hijack.SecurityCenter) -> Data: No -> No action taken.

Registry Data Items Detected: 0
(No malicious items detected)

Folders Detected: 0
(No malicious items detected)

Files Detected: 6
C:\Users\jordan\Downloads\XvidSetup (1).exe (Adware.Agent) -> No action taken.
C:\Users\jordan\Downloads\XvidSetup.exe (Adware.Agent) -> No action taken.
C:\Users\Michelle\Downloads\XvidSetup.exe (Adware.Hotbar) -> No action taken.
C:\Users\Michelle\AppData\Local\rdl.exe (Trojan.Agent) -> No action taken.
C:\Users\Michelle\AppData\Local\sik.exe (Trojan.Agent) -> No action taken.
C:\Users\Michelle\AppData\Local\xqi.exe (Trojan.Agent) -> No action taken.

Physical Sectors Detected: 0
(No malicious items detected)

(end)
 


I was able to log in to windows normally :)



#12 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:30 AM

Posted 06 June 2014 - 11:56 AM

Excellent!!!
 
 
Let's take some action with what MBAM is reporting...
 
Please run the scan, and when you get to the part where potential threats are detected, select Quarantine All as the Action for all the listed items.
Next, click: Apply Actions .

Please post the MBAM log in your reply.



Also, please download the Farbar Service Scanner
Save to the Desktop, and run it on the computer with the issue.
  • Make sure the following options are checked:
    • Internet Services
    • Windows Firewall
    • System Restore
    • Security Center/Action Center
    • Windows Update
    • Windows Defender
    • Other Services
  • Press: Scan
  • The tool creates a log (FSS.txt) on the Desktop.
  • Please provide the FSS.txt in your your reply.

Edited by Aaflac, 06 June 2014 - 12:06 PM.

Old duck...


#13 dstreet27

dstreet27
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 07 June 2014 - 10:03 AM

the Malware log.txt is on it's way.

 

 

here is the FSS.txt...

 

as shown, Action Centre and Windows update don't work.

 

Farbar Service Scanner Version: 21-05-2014
Ran by Michelle (administrator) on 07-06-2014 at 10:57:21
Running from "G:\"
Microsoft Windows 7 Home Premium  Service Pack 1 (X64)
Boot Mode: Normal
****************************************************************

Internet Services:
============

Connection Status:
==============
Localhost is accessible.
LAN connected.
Google IP is accessible.
Google.com is accessible.
Yahoo.com is accessible.


Windows Firewall:
=============

Firewall Disabled Policy:
==================


System Restore:
============

System Restore Disabled Policy:
========================


Action Center:
============

wscsvc Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of wscsvc. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of wscsvc. The value does not exist.
Unable to retrieve ServiceDll of wscsvc. The value does not exist.


Windows Update:
============
wuauserv Service is not running. Checking service configuration:
The start type of wuauserv service is set to Disabled. The default start type is Auto.
The ImagePath of wuauserv service is OK.
The ServiceDll of wuauserv service is OK.


Windows Autoupdate Disabled Policy:
============================


Windows Defender:
==============
WinDefend Service is not running. Checking service configuration:
Checking Start type: ATTENTION!=====> Unable to retrieve start type of WinDefend. The value does not exist.
Checking ImagePath: ATTENTION!=====> Unable to retrieve ImagePath of WinDefend. The value does not exist.
Unable to retrieve ServiceDll of WinDefend. The value does not exist.


Other Services:
==============


File Check:
========
C:\Windows\System32\nsisvc.dll => MD5 is legit
C:\Windows\System32\drivers\nsiproxy.sys => MD5 is legit
C:\Windows\System32\dhcpcore.dll => MD5 is legit
C:\Windows\System32\drivers\afd.sys => MD5 is legit
C:\Windows\System32\drivers\tdx.sys => MD5 is legit
C:\Windows\System32\Drivers\tcpip.sys => MD5 is legit
C:\Windows\System32\dnsrslvr.dll => MD5 is legit
C:\Windows\System32\mpssvc.dll => MD5 is legit
C:\Windows\System32\bfe.dll => MD5 is legit
C:\Windows\System32\drivers\mpsdrv.sys => MD5 is legit
C:\Windows\System32\SDRSVC.dll => MD5 is legit
C:\Windows\System32\vssvc.exe => MD5 is legit
C:\Windows\System32\wscsvc.dll => MD5 is legit
C:\Windows\System32\wbem\WMIsvc.dll => MD5 is legit
C:\Windows\System32\wuaueng.dll => MD5 is legit
C:\Windows\System32\qmgr.dll => MD5 is legit
C:\Windows\System32\es.dll => MD5 is legit
C:\Windows\System32\cryptsvc.dll => MD5 is legit
C:\Program Files\Windows Defender\MpSvc.dll => MD5 is legit
C:\Windows\System32\ipnathlp.dll => MD5 is legit
C:\Windows\System32\iphlpsvc.dll => MD5 is legit
C:\Windows\System32\svchost.exe => MD5 is legit
C:\Windows\System32\rpcss.dll => MD5 is legit


**** End of log ****



#14 dstreet27

dstreet27
  • Topic Starter

  • Members
  • 15 posts
  • OFFLINE
  •  
  • Local time:11:30 AM

Posted 07 June 2014 - 04:13 PM

Hope this helps with the Windows Update and Action Centre

Thanks

 

 

Malwarebytes Anti-Malware
www.malwarebytes.org

Scan Date: 07/06/2014
Scan Time: 2:47:27 PM
Logfile: MB07-06.txt
Administrator: Yes

Version: 2.00.2.1012
Malware Database: v2014.06.07.05
Rootkit Database: v2014.06.02.01
License: Free
Malware Protection: Disabled
Malicious Website Protection: Disabled
Self-protection: Disabled

OS: Windows 7 Service Pack 1
CPU: x64
File System: NTFS
User: Michelle

Scan Type: Threat Scan
Result: Completed
Objects Scanned: 342085
Time Elapsed: 2 hr, 21 min, 7 sec

Memory: Enabled
Startup: Enabled
Filesystem: Enabled
Archives: Enabled
Rootkits: Enabled
Heuristics: Enabled
PUP: Enabled
PUM: Enabled

Processes: 0
(No malicious items detected)

Modules: 0
(No malicious items detected)

Registry Keys: 0
(No malicious items detected)

Registry Values: 0
(No malicious items detected)

Registry Data: 0
(No malicious items detected)

Folders: 0
(No malicious items detected)

Files: 0
(No malicious items detected)

Physical Sectors: 0
(No malicious items detected)


(end)



#15 Aaflac

Aaflac

    Doin' Dis 'n Dat...


  • Malware Response Team
  • 2,307 posts
  • OFFLINE
  •  
  • Gender:Not Telling
  • Location:USA
  • Local time:10:30 AM

Posted 07 June 2014 - 09:52 PM

Let's use the following tool a shot at the repairs...

 

Since the following step involve editing the Registry, please create new restore point before proceeding:
http://www.sevenforums.com/tutorials/697-system-restore-point-create.html
Select: Option Two

 
Now, please download the ESET ServiceRepair tool:
http://kb.eset.com/library/ESET/KB%20Team%20Only/Malware/ServicesRepair.exe

Save to the Desktop.

Double-click to run the downloaded file.

 

When the program runs, a prompt appears asking if you want to proceed.

Click: Yes

 

When the Services routine is Completed, you are asked to Reboot.

Click Yes to allow the reboot.

 

The tool creates a folder on the Desktop named: CC Support

 

Please provide the CC Support\Logs\SvcRepair.txt in your reply.

 

 

Next, please run the Farbar Service Scanner once again, and also provide the FSS.txt in your reply.


Old duck...





0 user(s) are reading this topic

0 members, 0 guests, 0 anonymous users